Posted on

How to Secure WordPress Websites in 2019

WordPress Security

As with everything in life, being secure comes down to being cautious, reasonable and thinking logically. Security is a serious business and security and WordPress is always a big issue.

Although WordPress.org development team is quick to release security patches and updates, the same cannot be said about WordPress themes and plugins made by independent developers.

WordPress best practices keep WordPress websites secure.

There are lots of WordPress security plugins, but it’s not enough to just leave it to some 3rd party plugin to take care of your business. It’s up to you to keep WordPress safe and get all angles covered.

1. Choose Wisely and Update Regularly

WordPress updates don’t always bring just cool new features and options, but patch security vulnerabilities and fix bugs.

When installing themes and plugins, make sure they’re being updated regularly and that the author is responding to support questions. Often a premium WordPress product gets you a premium service, as well. Whatever you choose, see whether it’s a product made with best practices in mind and this will ensure there are no compatibility or security issues.

Always use trusted sources and for free stuff this means the official WordPress theme or plugin repositories. If you want to use commercial themes or plugins, do your research and get informed on quality of the author.

2. Don’t Go With the Defaults

This one’s a tip from our developer Slobodan: codex.wordpress.org is a large knowledge base, so whenever you have doubts about anything WordPress, try to find your answers there first. There’s a whole section on security and I would like to point out security through obscurity part:

  1. Don’t ever use the default administrator username – “admin”
  2. Default WordPress database prefix is – “wp_” and by changing this prefix you’ll repel some SQL injection attacks

3. Backup Your WordPress

Every single person has a story to tell about how they lost data. Data loss is such a real problem for many people. You can imagine going to sleep at night with your phone under your pillow. When you wake up, all your phone contacts are gone and the messages also deleted, plus music and pictures too.

The reason for this loss is that you forgot to lock your touch screen and as you tossed and turned over the night, you kept directing your phone to clear up your data. Imagine if this was to happen to your business’ data.

Backups keep you safe not only from server failures and incompatible software updates, but also from hackers. Of course, you will not sleep on the servers that contain your databases but then there are ways that you can lose the data. In fact, there are lots of ways that you can lose this data from a database.

Best WordPress Backup Options

There are several backup plugins that are available for your WordPress database. The best of these yet include the likes of:

Backup Buddy

BackupBuddy WordPress backup

This one is favored because it provides a comprehensive backup solution for WordPress sites. It gives you the opportunity to back up a variety of sources not just a hard drive. With BackupBuddy you can store away Amazon Web Services, Rackspace, Dropbox and even email content.

The back up process is completed fast and effortlessly thanks to the push button solutions that it offers. All that you need to do is pick up where you would like to store your backup and how frequently you would want them to occur and you will be good to go.

Updraft Plus

Updraft Plus WordPress backup plugin
UpdraftPlus completely free unlike the before mentioned Backup Buddy. It is straightforward and user friendly. It will support backups to Amazon Web Services, FTP, Dropbox, Rackspace and email. It also works wonderfully with Google Drive plus a many other storage solutions.

There is a premium version of UpdraftPlus and it comes with added features, such as automatic updates, reporting, no advertisements, site migrator, and so forth.

Backup WordPress

BackUpWordPress WP plugin
BackUpWordPress is another plugin that is extremely popular. It allows you to backup your WordPress site automatically. This plugin includes scheduling so that you are able to create a different schedule for your files and your database. Setting it up is effortless and it is completely user-friendly.

The only problem with this one is that if you would like to store your backups anywhere else other than your email or hard drive then you will have to purchase an extension. This plugin comes with an extension for individual cloud storage, which includes Dropbox and Google Drive.

Backing up your content is important. Setting up a database backup is not exactly the simplest of tasks, but if you have a good database administrator, you will be able to save yourself a lot of effort.

That time you can spend in creating the backups, securing the database and other security tasks can be saved by using backup plugins and hiring a remote database administrator. It is easy and it really does help the business to grow unaffected by technicalities.

4. Reduce Credentials

WordPress CredentialsPeople need only credentials that are enough for them to do their job. It basically means you should practice proper management and use of roles and capabilities. Nobody who’s only writing articles or editing posts needs administrative rights.

Your admin account should only be used when you’re performing administrative tasks, updating your WordPress installation, installing or deinstalling themes and plugins or for other major changes.

5. Use Strong Passwords

This one is simple. Use long pass-phrases, special characters and numbers for every single password. Don’t use same passwords for different accounts. Enable “Force Strong Passwords” feature in your WordPress dashboard.

You can always use password management applications, like 1Password or cloud-based LastPass which can also create strong passwords for you.

6. Security Plugins

There are several security plugins for WordPress, but only two worth mentioning. They are:

Most plugins give a false sense of security, but these two will get you covered for just about any eventuality. You should’t think twice when enabling “limit login attempts feature” and for everything else there’s an explanation in the documentation. You should also harden WordPress security through .htaccess configuration file.

Conclusion

WordPress is growing at an unimaginable rate and so is the number of malicious WordPress attacks. Use and install only those products which are absolutely necessary to run your website. This applies to both themes and plugins. The more stuff you add the more stuff you need to maintain. If you need

Themes that have lots of features have a lot more stuff that can break and are generally more susceptible to hacker attack. Free things are not always good. Take a look at this post about Why You Should Never Search For Free Premium WordPress Themes.

If you’re maintaining and updating WordPress regularly, limiting credentials, using strong passwords and scheduled backups, you’re pretty much protected from anything malicious out there.

If you suspect you’ve been under attack or infected, try this How to Clean a WordPress Hack guide by Sucuri. These guys specialize in website security and offer professional service in maintaining and disinfecting websites.

If you have any recommendations on how to secure WordPress websites, share it with me in the comments section below.

Free Marketing Updates
Get the best marketing practices in your inbox.
We always respect your privacy.

Share
Dragan Nikolic
I am a co-founder and editor at ThematoSoup, sharing marketing best practices, tips on how to simplify your online business and make it more manageable.
Dragan Nikolic
Hey @tj_reinhart do you accept new affiliate partners on Sumo? - 7 months ago
Dragan Nikolic

5 comments How to Secure WordPress Websites in 2019

  1. These are some good basic points, but there is a lot more someone that is familiar with software security can do. One of the biggest issues is sloppy coding in plugins. People will actually “code their own” functions instead of using base WordPress classes that do the same thing.

    Its such a huge issue I am actually starting a business around it. (shameless plug)

    1. No shame in it, your business will be useful to many WordPress publishers.

      What we focus on here at out blog is mostly tips for non-developers who don’t understand code, but if they want to make sure their plugins’ code is top notch, I’m sure they’d find a service that warns them about bad code very useful.

      1. Thanks Slobodan. You guys do a great job. I am following it now. The articles are really well written. I take it you are consultants even though I dont see a big “hire me” button. Shoot me an email at the address on this post Id be interested in rates and maybe some of the things you have done in the past.

  2. I can totally agree with the following statement by Dragan: “WordPress is growing at an unimaginable rate and so is the number of malicious WordPress attacks.”

    The blogosphere grows – The hacking increases! While these tips are basically just the tip of the iceberg – there are many, many more things one can do to decrease the possibility in having his/her WordPress site or blog exploited or fall victim to malicious attack.

    New bloggers have a tendency to overlook or “forget” many small things when starting a new blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.